Network Policies: Ingress Rules

One misplaced - in a NetworkPolicy YAML and a combined podSelector + namespaceSelector rule becomes OR instead of AND. No error, no warning. The policy applies cleanly, and the wrong Pods reach your service. That is the gotcha this article is built around.

NetworkPolicy is the Kubernetes API for expressing L3/L4 traffic rules. It operates at IP and port level, not at the HTTP level. No URL path matching, no header inspection, no TLS SNI routing. That's service mesh territory. NetworkPolicy draws hard lines around which Pods can communicate with which Pods on which ports.